TryHackMe-Bad Byte

Hey everyone I hope you are doing good , I am back again doing some TryHackMe rooms and I will be showing you how I solved the Badbyte room which is a good room that will teach you some things if you are a beginner but keep in mind before viewing the walk through make sure to try it on your own because this will have some spoilers so with that being said let’s jump in.

Rustscan

We have two ports open , one is 22 (SSH) and the other one is 30024 (FTP)

PORT 30024 (FTP)

From the note.txt

So errorcauser might be a username and we have his id_rsa so we can now ssh into the machine

PORT 22 (SSH)

As soon as we try to login with the private ,it’s protected with a passphrase

So here we need ssh2john generate a hash for the key so we can crack it with johntheripper or hashcat

And we successfully cracked the hash and got the passphrase so now we should be able to login

We are logged in as errorcauser but we see another note which tells that there's a webserver running on local port

Since there is no ss or nestat installed we have create a socks proxy on localhost to see which ports are open in order to that we will login through ssh using this command

ssh errorcauser@10.10.28.94 -i id_rsa -D 1337

Also add socks5 proxy in /etc/proxychains.conf

Now run a TCP scan on localhost

So we can see two more ports 80 and 3306 , so let’s scan port 80 what’s running on it

Add proxy with Foxyproxy extension or you could manually add proxy setting

Using wpscan I enumerated the user

For some reason wpscan wasn’t giving me plugins for wordpress so I decide to use nse (nmap scripting engine)

This is the scipt I used to enumerate plugins also to note supply arguemnts to scan upto 1500 results from wordpress plugins script

proxychains nmap -sT -p 80 --script http-wordpress-enum --script-args search-limit=1500 127. 0.0.1

So we have found these two plugins being used on wordpress and these both have exploits on exploit-db

Duplicator (Arbitary File Read)

Wp-File manager (RCE)

I don’t like the meterpreter shell so and I can’t get the bash through it so I decided to generate a payload that will give a me a reverse shell

Now the room tells that password was logged so by going to /var/logs I find bash.log belongs cth so we can read it

Here it gives us the old password , for the current password we can guess that since the year is 2021 so the password must be G00dP@$sw0rd2021

And we guessed it right , we can run any command as sudo

BS CS undergraduate | CTF Player